Online criminals are increasingly using subdomain registration services to register the fake websites used to launch phishing attacks. Subdomain services are typically unregulated and focus on high-volume, low-cost transactions, meaning that they provide excellent cover for attackers.

That's a key finding of a report released Tuesday by the Anti-Phishing Working Group (APWG) that focuses on phishing trends for the second half of 2010.

"Over the past few years, we have documented many examples of e-criminals finding and heavily exploiting particular DNS-related service providers who were ill-prepared for the onslaught of abuse," said report co-author Rod Rasmussen, CTO of technology and services firm Internet Identity, in a statement. "Subdomain providers are a particularly tempting target, as they provide full DNS services with no oversight and low-to-no cost services."

All told, in the second half of 2010, subdomain services hosted nearly 11,768 phishing websites, a 42% increase from the first half of the year. Interestingly, 40% of attacks launched via subdomain services used the CO.CC domain, based in Korea.

According to the APWG report, "phishers are probably attracted to co.cc because co.cc registrations are free, easy to sign up for, come with DNS service, and there are features to assist with bulk signups." The report also said that while the domain administrators typically respond quickly to any reports of abuse, "co.cc supports more than 9,400,000 subdomains in more than 5,000,000 user accounts," which could make policing the influx of phishers difficult.

"Few such services take enough proactive measures to keep criminals from abusing their products in the first place," said report co-author Greg Aaron, director of key account management and domain security at Internet infrastructure services provider Afilias, in a statement.

But domain registrars that actively target phishers can help eliminate their threat. For example, according to the report, Pochta.ru, a Russian provider of free email, "almost completely eliminated phishing on its service," reducing the number of attacks launched via its site from 189 in the first half of 2010 to just 14 in the second half of the year.

The growing use of subdomain registration services means that attackers currently register roughly an equal number of phishing websites via subdomains as top-level domains. Interestingly, the majority of phishing attacks are launched using a rather small subset of domains. For top-level domains, 60% of attacks originate from .com, .cc., .net, and .org domains. Meanwhile, 89% of subdomain attacks are launched from the .com, .tk, .net, and .info domains.

Compared with past years, attackers today are more likely to register the malicious sites used in their attacks, and especially if they're attacking Chinese websites, which are seeing increasing volumes of attacks. "Of the 42,624 phishing domains, we identified 11,769 (28%) that we believe were registered maliciously, by the phishers," said the report. "Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable Web hosting."

But there's good news from the report, in that the overall number of phishing attacks appears to be declining. In the second half of 2010, for example, the APWG saw 67,677 attacks--meaning "a phishing site targeting a specific brand or entity"--which was up from 48,244 in the first half of 2010. But that's still down from the 126,697 attacks seen in the second half of 2009. According to the report, "the decrease in attacks was due to reduced activity by the Avalanche phishing gang," which at its peak was the Internet's single most prolific phishing gang.

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.